If you happen to be affected by the Crowdstrike catastrophe, my greatest sympathies for the stress that’s been bestowed upon you, but know there is light ahead. The good news is there’s been a good amount of support and direction from the IT community.
Standard Guidance
- Boot Windows into Safe Mode or the Windows Recovery Environment.
- Navigate to the C:\Windows\System32\drivers\CrowdStrike directory.
- Locate and delete the file matching “C-00000291*.sys”.
- Boot the host normally.
Link available, for additional guidance on Azure machines that cannot be accessed in safe mode.
Interested in Uninstalling Crowdstrike?
Now I won’t advocate for uninstalling Crowdstrike based on this one event. To be clear, this could happen with any EDR solution you choose as they all have deep hooks into the operating system to log and analyze the necessary traffic.
But if you choose to change vendors, one thing you’ll need is the Crowdstrike maintenance token in order to uninstall.
How to get the Crowdstrike Maintenance Token:
To review IT Benchmarq’s other useful tools click here.